Protect Your Company With a CSIRT

By Peter Ridgley

Corporations today face a high risk of a security incident and the increased possibility of serious financial problems caused by a data breach. Yet, according to the “Verizon 2011 Data Breach Investigations Report,” 96 percent of incidents would have been avoidable through simple or intermediate-level controls. An effective computer security incident response team (CSIRT) can help your organization protect critical assets and data and lower risks by increasing awareness and creating controls.

In a company’s IT environment, a host of factors can combine to create dynamics that threaten confidential data. The increasing value and volume of sensitive data, mobile technology, advanced platforms, compiled software that’s readily available to test and exploit, and the complexity of most infrastructures and applications can all combine to create a complex web that must be protected. Contributing to the problem are outdated configurations and patches, “bolt-on” security that’s improperly integrated with current processes, and inadequate prevention, detection and response activities—all of which expose the enterprise to potential breaches and losses.

The Verizon report indicated that, although large organizations experienced a significant number of breaches, a “virtual explosion of breaches involved smaller organizations.” Eighty-three percent were victims of opportunity: Had more stable and secure structures been in place, these organizations might not have experienced a breach.

The costs for even a small security event can add up. Companies incur attorneys’ fees to prepare breach notifications and victim lists, plus printing and mailing costs. Systems removed from service can affect productivity and costs. Plus, costs can escalate for overtime required to contain, remediate and restore services, as well as the expense of external experts to investigate or provide specialized services.

If insurance is leveraged, premiums may increase. If reparations are required, such as identity theft protection for consumers or new controls to prevent future incidents, these outlays are included in the cost of a security incident. In addition, public companies may face a loss in stock value.

Investing in incident prevention can reduce the number of breaches and the associated repercussions.

Create the Team

Being prepared with an effective CSIRT can help calm the chaos during and following an incident, reduce outage times, and rebuild trust with both internal and external customers.

According to the Carnegie-Mellon Software Engineering Institute, a CSIRT is “an organization or team that provides services and support to a defined constituency for preventing, handling and responding to computer security incidents.” An effective CSIRT should be proactive, able to communicate and work effectively with all key stakeholders, and maintain a cohesive set of coordinated processes to respond to an incident.

Establishing an effective CSIRT can be difficult. Often, enterprises fail to assign formal responsibility to a predetermined group of experienced security professionals. But a decentralized, ad hoc approach to incident response can lead to miscommunication, failure to standardize and analyze response procedures, and minimal reporting or postmortem evaluation.

In most organizations, CSIRTs are embedded in IT and focus on response activities. A more effective CSIRT organization may still reside in IT, but it should be focused on prevention activities.